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                        The Financial Crimes Enforcement Network (FinCEN) administers
                        the Bank Secrecy Act (BSA), which established the framework to
                        combat criminal use of the financial system. BSA requires financial
                        institutions to report certain financial transactions made by their
                        customers. FinCEN oversees the management, processing, storage,
                        and dissemination of BSA data. In November 2006, FinCEN began
                        a system development effort, the BSA Information Technology
                        Modernization Program (BSA IT Mod), to improve the collection,
                        analysis, and sharing of BSA data. The intent of the effort was,
                        among other things, to transition BSA data from the Internal
                        Revenue Service (IRS) to FinCEN. BSA IT Mod is estimated to cost
                        $120 million and is to be completed in 2014.

                        Pursuant to a Congressional directive, we conducted the fifth in a
                        series of audits of FinCEN’s BSA IT Mod. 1 Consistent with the
                        Congressional directive, the objectives of the audit were to
                        determine if FinCEN is (1) meeting cost, schedule, and performance
                        benchmarks for the program and (2) providing appropriate oversight
                        of contractors. We also assessed any deviations from FinCEN’s
                        plan. The period covered by this audit was July through December

1
    House Report (H. Rept.) 112-331 directed our office to report on BSA IT Mod, including contractor
    oversight and progress regarding budget and schedule, semiannually. Our prior four reports issued
    under this directive are: FinCEN’s BSA IT Modernization Program Is on Schedule and Within Cost But
    Requires Continued Attention to Ensure Successful Completion (OIG-12-047; Mar. 26, 2012);
    FinCEN’s BSA IT Modernization Program Is Meeting Milestones, But Oversight Remains Crucial
    (OIG-12-077; Sep. 27, 2012); FinCEN’s BSA IT Modernization Program Met Milestones with Schedule
    Extensions (OIG-13-036; Mar. 28, 2013); and FinCEN’s BSA IT Modernization Program Was within
    Budget and on Schedule But Users Suggest Enhancements (OIG-13-053; Sep. 25, 2013).
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                         2013. We interviewed FinCEN program officials, Treasury‘s Office
                         of Chief Information Officer (OCIO) officials, and representatives
                         from Deloitte Consulting, LLP (Deloitte), and MITRE Corporation
                         (MITRE), the contractors involved with the program. 2 We also
                         reviewed applicable program documentation. We performed our
                         fieldwork from November 2013 through January 2014. Appendix 1
                         provides a more detailed description of our audit objectives, scope,
                         and methodology. Appendix 2 provides additional background
                         information on BSA IT Mod, including its component projects.

                         In September 2013, we reported on FinCEN’s BSA IT Mod as of
                         June 2013. 3 We found that BSA IT Mod was within budgeted
                         costs and that all planned milestones were completed except one,
                         the Broker Information Exchange project. 4 The schedule for this
                         milestone, the last one for BSA IT Mod, was modified to
                         incorporate phases and adjusted from April 2013 to April 2014
                         because of a reorganization of FinCEN that required additional time
                         to define the project’s requirements and align with the new
                         organization areas and priorities. Additionally, we reported that
                         FinCEN Query users from law enforcement and regulatory agencies
                         we interviewed were generally satisfied with the system, but
                         expressed some limitations and suggested enhancements. 5 FinCEN
                         analysts we interviewed told us that Advanced Analytics met their




2
    FinCEN contracted with Deloitte to oversee the systems development and integration effort. Deloitte
    was the prime contractor in the BSA IT Mod effort. FinCEN also engaged MITRE as a subject matter
    expert on program and project management and BSA IT Mod business capabilities. MITRE is a not-for-
    profit organization chartered to work in the public interest with expertise in systems engineering,
    information technology, operational concepts, and enterprise modernization. See appendix 2 for
    additional detail about FinCEN’s BSA IT Mod contracts.
3
    FinCEN’s BSA IT Modernization Program Was within Budget and on Schedule But Users Suggest
    Enhancements (OIG-13-053; Sep. 25, 2013).
4
    The Broker Information Exchange project is to provide a mechanism to share case information for both
    internal and external users. It also is to allow (a) law enforcement agencies to submit requests
    through FinCEN to financial institutions for information about financial accounts and transactions of
    persons or businesses that may be involved in terrorism or money laundering and (b) financial
    institutions to share information with one another through FinCEN to identify and report suspicious
    money laundering or terrorist activities to the federal government.
5
    FinCEN Query is used by FinCEN internal users and by registered external users to retrieve and
    analyze BSA data.
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                         needs though it was somewhat complex; the analysts also stated
                         that additional training would be beneficial. 6

                         In addition, we reported that BSA IT Mod had progressed from the
                         development phase to the operations and maintenance phase and
                         that there was a continued risk to the remaining project
                         development work with the program’s high-level of dependency
                         between its component projects. Another risk we identified was
                         that users’ needs differed and that FinCEN should consider,
                         prioritize, and accommodate those differences. We cautioned that
                         FinCEN’s continued attention will be necessary as FinCEN Query
                         and Advanced Analytics users become more familiar with the
                         system and may request changes, enhancements, and support.

Results in Brief
                         As of December 2013, we found that BSA IT Mod remained within
                         budgeted costs and was on schedule to be completed by April 1,
                         2014. During the audit period, FinCEN completed the first phase of
                         Release 2 of the Broker Information Exchange, the final milestone
                         project, within budget but 7 weeks beyond the planned schedule.
                         We do not consider this delay as significant.

                         FinCEN conducted performance testing of BSA IT Mod for the first
                         phase of Release 2 of the Broker Information Exchange and system
                         releases completed as part of operations and maintenance. 7 FinCEN
                         also completed its first user survey on FinCEN Portal 8 and FinCEN
                         Query, which will be used as a baseline for future customer
                         satisfaction surveys. 9 Survey respondents indicated that accessing
                         BSA data and developing queries was somewhat cumbersome and
                         complex. Users also expressed the need for additional training and
                         enhancements.


6
    Advanced Analytics provides complex search and retrieval functionality such as statistical analyses for
    FinCEN internal users to support their analytical, law enforcement, and regulatory activities.
7
    In the operations and maintenance phase, FinCEN manages the BSA IT Mod as one complete system;
    this includes prioritizing and resolving defects and change requests in common combined releases.
8
    Law enforcement and regulators access BSA data by logging through FinCEN Portal and then
    accessing FinCEN Query.
9
    2013 FinCEN Portal and FinCEN Query Performance Measure Survey FY 2013 (Sep. 2013).
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                         In our previous audit, users told us that there was no mechanism
                         to allow agency BSA IT Mod administrators to monitor staff use of
                         FinCEN Query or to limit access to particular features to detect
                         potential misuse and help ensure that BSA data is safeguarded.
                         During this audit, FinCEN agreed to provide one user agency with
                         logs detailing its employees’ use of FinCEN Query. 10 FinCEN has
                         acknowledged its responsibility to monitor usage of FinCEN Query,
                         and has begun to develop its own inspection program to monitor
                         potential misuse.

                         In our September 2013 report, we reported that FinCEN maintained
                         oversight of BSA IT Mod and that MITRE and Deloitte were
                         providing less support to FinCEN’s BSA IT Mod program
                         management as the development effort moved into operations and
                         maintenance. We also found Treasury OCIO’s monitoring of the
                         program was appropriate based on the overall positive track record
                         by FinCEN managing the BSA IT Mod development effort. During
                         our current audit, FinCEN’s oversight responsibilities increased by
                         providing more direction and oversight of the integration across the
                         various contracts as contractors transitioned away from providing
                         development program support. 11 No change occurred in the level of
                         program oversight by Treasury OCIO.

                         We are recommending that FinCEN (1) continue to work with users
                         to address user requests for training and enhancements and
                         (2) make agencies aware of the process for contacting FinCEN if
                         misuse of BSA data is suspected.

                         In its management response, which is provided in appendix 4,
                         FinCEN concurred with our recommendations. Its actions, both
                         taken and planned, are summarized in the Recommendations
                         section of this report and meet the intent of the recommendations.
                         With regard to continuing to address user requests for training and
                         enhancements, FinCEN uses the Data Management Council (DMC)
                         as the forum to discuss the business impacts of system issues

10
     BSA IT Mod includes an audit log of user activity on the system. FinCEN officials stated that FinCEN
     is ultimately responsible for maintaining the logs and monitoring BSA IT Mod system use.
11
     During the period covered by our audit, Deloitte discontinued providing FinCEN with BSA IT Mod
     program management and operations and maintenance support as the contract for these tasks
     expired. FinCEN awarded contracts to other contractors for these services. See appendix 2 for
     additional detail.
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                        raised by users. 12 FinCEN will continue to use the DMC in this
                        manner as it prioritizes work efforts throughout operations and
                        maintenance. With regard to making agencies aware of the process
                        for contacting FinCEN if misuse of BSA data is suspected, FinCEN
                        plans to present the current process for investigating potential
                        misuse of data to the DMC. Additionally, FinCEN will notify each
                        agency coordinator that if misuse of BSA data is suspected, the
                        coordinator should contact FinCEN.


Findings
Finding 1               BSA IT Mod Program Remained within Budget and Mostly
                        on Schedule
                        As of December 2013, we found that BSA IT Mod remained within
                        budgeted costs and was on schedule to be completed by April 1,
                        2014. During the audit period, FinCEN completed the first phase of
                        Release 2 of the Broker Information Exchange, the final milestone
                        project, within budget but 7 weeks beyond the planned schedule.
                        We do not consider the delay as significant.

                        BSA IT Mod Kept within Budgeted Costs

                        As of December 31, 2013, FinCEN reported that it spent
                        approximately $105.7 million developing BSA IT Mod from its
                        overall $120 million, 4-year planned budget. Not included in this
                        amount was approximately $11.2 million in initial program planning
                        costs, which we addressed in our March 2012 report. In that
                        regard, FinCEN’s actual program costs incurred through December
                        2013 were approximately $116.9 million. A breakdown by
                        category of the actual costs incurred is provided in Table 1 below.




12
     The DMC provides a forum for internal and external stakeholders to communicate their organizations’
     views to FinCEN. These members provide input on system and data-related topics including request
     for changes, data-related issues, and system defects.
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                          Table 1: BSA IT Mod Costs as of December 31, 2013 (in millions)
                          Category                                                             Amount
                          Initial Planning                                                      $11.2
                          Development
                              Hardware and Software                                              10.3
                              Contractor Services                                                46.0
                              Other1                                                             15.4
                              Operations and Maintenance2                                        27.4
                          FinCEN staffing costs3                                                  6.6
                             Total                                                             $116.9
                          Source: OIG analysis of FinCEN data.
                          1
                            Other costs are comprised of (1) program management and program
                            engineering performed by contractors including Deloitte and MITRE, (2) a
                            contract office fee of 4 percent for the Department of the Interior’s
                            National Business Center Acquisition Services Directorate for contract
                            support of the BSA IT Modernization Program, and (3) a management
                            reserve for potential additional work to be performed within the authorized
                            work scope of the contract or to accommodate rate changes for future
                            work.
                          2
                            Operations and Maintenance costs are comprised of hosting costs by the
                            Treasury’s Bureau of the Fiscal Service, hardware and software
                            maintenance support, network support, application support, and the
                            application help desk costs.
                          3
                            Staffing costs are estimated based on FinCEN’s Exhibit 300 submissions to
                            the Office of Management and Budget (OMB). FinCEN does not track the
                            staffing costs associated with BSA IT Mod. (Note: Required by OMB
                            Circular No. A-11, Preparation, Submission, and Execution of the Budget,
                            the Exhibit 300 describes the justification, planning, and implementation of
                            an agency’s major IT investments.)



                         FinCEN is funding BSA IT Mod through $119.9 million made
                         available in its annual congressional appropriations and through
                         supplemental funding from the Treasury Forfeiture Fund
                         administered by the Treasury Executive Office of Asset Forfeiture
                         (TEOAF). TEOAF provided funding for BSA IT Mod consistent with
                         its authority to provide funds for law enforcement related
                         expenditures. 13 Table 2 below identifies the program’s funding
                         sources by year.

13
     The Treasury Forfeiture Fund, which is the receipt account for the deposit of non-tax forfeitures
     resulting from law enforcement actions by participating Treasury and Department of Homeland
     Security agencies. The Treasury Forfeiture Fund was established under 31 U.S.C. § 9703. The Fund
     can provide money to other federal entities to accomplish specific objectives for which the recipient
     entities are authorized to spend money and toward other authorized expenses. Distributions from this
     Fund in excess of $500,000 cannot be used until the Appropriations Committees from both houses
     of Congress are notified. TEOAF submits its planned release of funds to Congress annually. Those
     submissions through fiscal year 2012 included the funding provided for the BSA IT Mod program.



                         FinCEN’s BSA IT Modernization Program is on Budget, on Schedule, and Close        Page 6
                         to Completion (OIG-14-029)
                         Table 2: BSA IT Mod Funding Sources as of December 31, 2013
                                  (in millions)
                                                                      Treasury
                         Fiscal           Congressional              Forfeiture
                         Year             Appropriation                   Fund            Total
                         2009                     $2.5                   $3.7             $6.2
                         2010                     18.5                   11.7             30.2
                         2011                     18.5                   11.5             30.0
                         2012                     23.5                     6.5            30.0
                         2013                     23.5                     0.0            23.5
                           Total                 $86.5                  $33.4           $119.9
                         Source: OIG analysis of FinCEN and TEOAF documentation.

                        After the planned completion of the final milestone project (the
                        second phase of Release 2 of the Broker Information Exchange) in
                        April 2014, FinCEN will continue to fund BSA IT Mod operation
                        and maintenance through FinCEN’s annual appropriation. FinCEN’s
                        fiscal year 2014 budget request included $23.5 million to fund the
                        program’s operation and maintenance. 14

                        BSA IT Mod Remained on Schedule But the First Phase of Final
                        Milestone Project Was Delayed

                        As of December 31, 2013, BSA IT Mod remained on schedule and
                        is to be completed by April 1, 2014, with the planned completion
                        of the final milestone project – the second phase of Release 2 of
                        the Broker Information Exchange. Appendix 3 provides the status
                        of BSA IT Mod by project.

                        During the audit period, FinCEN completed the first phase of
                        Release 2 of the Broker Information Exchange within budgeted
                        costs but 7 weeks beyond the planned schedule. FinCEN program
                        management officials told us that additional time was required to
                        finalize the project requirements and resolve software integration
                        issues encountered during development and testing. 15




14
     FinCEN’s fiscal year 2014 budget request was $103.9 million. Congress appropriated $112 million to
     FinCEN in the Consolidated Appropriations Act, 2014 (Public Law 113-76).
15
     The term software integration refers to the process that ensures software works together correctly;
     integration issues between Microsoft and Oracle software platforms caused the delay.
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Finding 2               FinCEN Addressed User Requested Enhancements and
                        Completed the First Survey on FinCEN Query
                         FinCEN conducted performance testing of BSA IT Mod for the first
                         phase of Release 2 of the Broker Information Exchange and system
                         releases completed as part of operations and maintenance. FinCEN
                         also completed its first user survey on FinCEN Portal and FinCEN
                         Query, which will be used as a baseline for future customer
                         satisfaction survey results. Survey respondents indicated that
                         accessing BSA data and developing queries was somewhat
                         cumbersome and complex. Users also expressed the need for
                         additional training and enhancements.

                         Performance Testing of BSA IT Mod Continued

                         FinCEN continued performance testing through government
                         acceptance testing. 16 FinCEN tested the first phase of Release 2 of
                         the Broker Information Exchange, as well as the enhancements
                         completed to other releases as part of operations and maintenance.
                         FinCEN continued to manage BSA IT Mod in the operations and
                         maintenance phase.

                         FinCEN officials told us there were no significant data processing
                         issues or significant performance issues observed in production.
                         FinCEN and MITRE officials considered all open defects to be of
                         low severity, meaning that the defects would not significantly
                         impair program performance or functionality. 17 Our review of
                         program documentation did not identify any significant
                         performance issues.

                         FinCEN Conducted an Initial Customer Satisfaction Survey

                         As of December 31, 2013, approximately 9,500 users had
                         performed approximately 4.5 million data queries since FinCEN

16
     Government acceptance testing is the Government’s opportunity to validate that the current release’s
     requirements were met. This includes testing functionality, system usability, permissions and
     security, compatibility testing, and traceability to business requirements through test script
     execution, demonstrations and inspections. Performance and response time are also observed.
17
     FinCEN logs and prioritizes all defects, requests for change and enhancements, as well as necessary
     fixes to repair system functionality. As of December 31, 2013, FinCEN had 189 requests for
     changes and enhancements and 291 open defects, which FinCEN continued to address.
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                        Query went live in September 2012. In June 2013, FinCEN
                        surveyed 8,000 users of FinCEN Portal and FinCEN Query
                        regarding their level of satisfaction with those systems.
                        Approximately 1,000 responses were received representing a
                        response rate of 13 percent. According to the survey administrator
                        used by FinCEN, the response rate was sufficient to ensure a high
                        sampling confidence of over 90 percent. 18

                        The survey results revealed a score of 62, on a scale of 0 to 100,
                        regarding the respondents’ overall level of satisfaction with FinCEN
                        Query. 19 This score was derived from the responses to three
                        survey questions in which respondents rated their experiences with
                        FinCEN Query—their overall satisfaction in accessing BSA data
                        through FinCEN Query; how FinCEN Query met their expectations;
                        and how FinCEN Query compared to what the respondents would
                        consider to be an ideal BSA data and retrieval system. Also of
                        note, the respondents favorably rated the overall value of BSA data
                        (a score of 77) as well as the support received from FinCEN’s
                        application’s help desk (a score of 84).

                        The survey also provided several open-ended questions where
                        respondents could comment. Respondent’s comments to the
                        survey indicated that accessing BSA data through FinCEN Portal
                        and developing queries through FinCEN Query was somewhat
                        cumbersome and complex. Respondents also stated the need for
                        additional training, including hands-on training, as well as
                        enhancements.

                        Survey ratings from one component within IRS, representing 26
                        percent of the total survey responses, were markedly less favorable
                        than those provided by respondents from other agencies. FinCEN
                        and IRS officials told us that users with this one IRS component
                        were still transitioning away from a legacy BSA data system



18
     The survey was administered by CFI Group, which has conducted surveys on behalf of FinCEN since
     2005.
19
     An American Customer Satisfaction Index (ACSI) score was derived from the weighted average of 3
     survey questions. ACSI is the only uniform, cross-industry/government measure of customer
     satisfaction and used to develop benchmarks across government. ACSI has measured more than 100
     programs of federal agencies since 1999. The federal government’s ASCI score was 68 for 2012.
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                        maintained by IRS and that they had not been using FinCEN Query
                        for as long as other agencies.

                        At the time of the survey, FinCEN Query had been available to
                        external users for about 9 months. 20 FinCEN program officials told
                        us that the survey results established a baseline for improvement,
                        as it was the first survey involving FinCEN Portal and FinCEN
                        Query. They expected survey scores to be generally low because
                        FinCEN Portal and FinCEN Query were still relatively new to users,
                        but expected future survey scores to rise as users become more
                        familiar with the systems through experience and training.

                        FinCEN officials told us that, overall, the survey indicated that
                        users needed to be better educated on how FinCEN Query is a
                        search engine and how it is data-driven as opposed to forms-
                        driven, meaning it returns all the data regardless of form-type, in
                        order to improve their ability to use it. As planned, FinCEN, in
                        conjunction with user group liaisons, completed development of a
                        training plan for external users and its analysts in February 2014.

                        FinCEN Continued to Address User Requests for Enhancements

                        In our last report, we noted that BSA IT Mod users had identified
                        some limitations with FinCEN Query and cited the need for
                        enhancements. Since June 2013, FinCEN has worked with users
                        through the DMC to address and prioritize suggested
                        enhancements as discussed below.

                        Improvements in Downloading and Searching Fields

                        In our previous audit, users told us that FinCEN Query search
                        results were challenging to sort in Microsoft Excel which made
                        analysis difficult. We were told that certain data fields within BSA
                        IT Mod could not be searched. During this audit, FinCEN provided
                        regulators and law enforcement users the capability to customize
                        FinCEN Query downloads for exporting into Microsoft Excel.
                        FinCEN also added about 40 data fields to FinCEN Query search
                        results and made additional data fields searchable.



20
     The initial rollout of FinCEN Query to external users began September 2012.
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                         Agencies’ Ability to Monitor or Limit Use of FinCEN Query

                         In our previous audit, users told us that there was no mechanism
                         to allow agency BSA IT Mod administrators to monitor staff use of
                         FinCEN Query or to limit access to particular features to detect
                         potential misuse and ensure that BSA data is safeguarded. During
                         this audit, FinCEN officials told us that disseminating this
                         information to user agencies was not part of the original business
                         requirements for BSA IT Mod and that it was ultimately FinCEN’s
                         responsibility to monitor for potential misuse. In this regard, FinCEN
                         has begun to develop its own inspection program to ensure the
                         BSA data is not misused. FinCEN also agreed to provide one
                         agency, IRS, with logs that detail its employees’ use of FinCEN
                         Query. 21 Regarding limiting access to particular features, such as to
                         Suspicious Activity Reports, FinCEN officials told us that this
                         feature was not built into BSA IT Mod’s FinCEN Query because the
                         system was not designed to operate in this manner as all BSA data
                         is treated the same—not differentiated by form type.

                         While FinCEN has acknowledged its responsibility to monitor usage
                         of FinCEN Query, and has begun to develop its own inspection
                         program to monitor potential misuse, we believe that FinCEN
                         should encourage the agencies to contact FinCEN if misuse of BSA
                         data is suspected.

                         Risks to BSA IT Mod Continue

                         Similarly to what we reported in September 2013, there is
                         continued risk with the program’s high-level of dependency
                         between its component projects. FinCEN officials told us that this
                         risk is an inherent risk in all IT programs and that they expect the
                         risk to continue as programming changes in any component may
                         affect and require programming changes to other components of
                         the system. Not unexpectedly, FinCEN and MITRE officials told us
                         that the loss of knowledge due to Deloitte’s departure from its
                         support of BSA IT Mod’s operations and maintenance represents an
                         additional risk to the ongoing system. 22

21
     BSA IT Mod includes an audit log of user activity on the system. FinCEN officials stated that FinCEN
     is responsible for maintaining the logs and monitoring BSA IT Mod system use.
22
     Deloitte provided operation and management and applications support as part of the BSA IT Mod 5-
     year contract that FinCEN awarded Deloitte in 2008. See appendix 2 for additional detail.
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Finding 3              FinCEN Assumed More BSA IT Mod Oversight
                       Responsibility
                       In our September 2013 report, we reported that FinCEN maintained
                       oversight of BSA IT Mod and that MITRE and Deloitte were
                       providing less support to FinCEN’s BSA IT Mod program
                       management as the development effort moved into operations and
                       maintenance. We also found Treasury OCIO’s monitoring of the
                       program was appropriate based on the overall positive track record
                       by FinCEN managing the BSA IT Mod development effort. During
                       our current audit, FinCEN’s oversight responsibilities increased as
                       contractors transitioned away from providing program support for
                       the development effort to managing the integration of multiple
                       contractors in the operations and maintenance phase. No change
                       occurred in the level of program oversight by Treasury OCIO.

                       FinCEN Oversight

                       FinCEN took on more BSA IT Mod oversight responsibility during
                       this audit period as MITRE transitioned away from providing routine
                       program management and technical support as the program
                       progressed from development to the operations and maintenance
                       phase.

                       MITRE representatives told us that they had no concerns regarding
                       its transition away from its support of FinCEN and that FinCEN
                       staff had matured sufficiently in order to manage the program.

                       Deloitte discontinued providing FinCEN with BSA IT Mod program
                       management support, as the task order for this service in its
                       contract had expired and was awarded to a new contractor. 23
                       However, Deloitte will provide project status reports for the final
                       project—the second phase of Release 2 of the Broker Information
                       Exchange. Deloitte had no concerns over the transition of their
                       responsibilities to the new contractor.




23
     In September 2013, FinCEN awarded a new contract for BSA IT Mod program management support
     to Total Systems Technologies Corporation. See appendix 2 for additional information.
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           Treasury OCIO Oversight

           In our previous audit, we found Treasury OCIO’s monitoring of the
           program appropriate given the overall positive track record by
           FinCEN managing the BSA IT Mod development effort. During this
           audit, we found Treasury OCIO continued to monitor FinCEN
           monthly data submissions to identify potential issues and
           performed macro-level reviews including trend analysis. Treasury
           OCIO also conducted quarterly investment status meetings with
           FinCEN and still plans to conduct a post implementation review
           upon the program’s completion. The post implementation review
           will evaluate whether the system works as originally planned.

           Treasury OCIO officials told us that BSA IT Mod was performing
           well and that they were satisfied with the level and quality of the
           program data provided by FinCEN. They were also satisfied with
           FinCEN’s management of the program.

           As we reported in our previous audits of BSA IT Mod, the Treasury
           CIO is a member of both the BSA IT Mod Modernization Executive
           Group and Executive Steering Committee, which meets on a
           quarterly basis or when a major decision or approval is sought. In
           December 2013, Treasury CIO attended a Modernization Executive
           Group meeting in which members conditionally approved ending its
           BSA IT Mod governance in March 2014. Treasury OCIO officials
           expressed to us that they had no concerns over this action.

           We believe that the oversight by FinCEN management and Treasury
           OCIO during this audit period was appropriate given the overall
           positive track record by FinCEN in managing its BSA IT Mod
           development effort.

Recommendations
           We recommend the FinCEN Director:

           1. Continue to work with users to address user requests for
              training and enhancements.
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                            Management Response

                            FinCEN uses the DMC as the forum to discuss the business
                            impacts of system issues raised by users (which can include
                            corrections, modifications, or enhancements to system
                            capabilities, reports, and/or training). FinCEN will continue to
                            use the DMC in this manner to inform the Investment Review
                            Board as it prioritizes work efforts throughout operations and
                            maintenance. 24

                            OIG Comment

                            The above commitment by FinCEN meets the intent of our
                            recommendation.

                        2. Make agencies aware of the process to contact FinCEN if
                           misuse of BSA data is suspected.

                            Management Response

                            FinCEN plans to present the current process for investigating
                            potential misuse of data to the DMC. Additionally, FinCEN will
                            notify each agency coordinator that if misuse of BSA data is
                            suspected, the coordinator should contact FinCEN. The planned
                            completion date is April 2014.

                            OIG Comment

                            The above commitment by FinCEN meets the intent of our
                            recommendation.




24
     FinCEN’s Investment Review Board is an executive level body responsible for overseeing major IT
     investments such as BSA IT Mod.
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We appreciate the cooperation and courtesies extended to our staff
during the audit. If you wish to discuss the report, you may
contact me at (617) 223-8638 or Mark Ossinger, Audit Manager,
at (617) 223-8643. Major contributors to this report are listed in
appendix 5.

/s/
Sharon Torosian
Audit Director
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                       Pursuant to a Congressional directive, this is the fifth in a series of
                       audits of the Financial Crimes Enforcement Network's (FinCEN)
                       Bank Secrecy Act (BSA) Information Technology Modernization
                       Program (BSA IT Mod). 25 Our objective was to determine if FinCEN
                       is (1) meeting cost, schedule, and performance benchmarks for this
                       program and (2) providing appropriate oversight of contractors. In
                       addition, we evaluated any deviations from FinCEN’s plan. We
                       determined the status of the program’s cost, schedule, and
                       performance through December 31, 2013.

                       To accomplish our objective, we interviewed officials with FinCEN,
                       Department of the Treasury’s Office of the Chief Information
                       Officer (OCIO), and FinCEN’s contractors. In addition, we reviewed
                       applicable program documentation including the 2013 FinCEN
                       Portal and FinCEN Query Performance Measure Survey. We
                       performed our fieldwork from November 2013 through January
                       2014.

                       At FinCEN, we interviewed:

                       •   The Chief Information Officer (CIO), Chief Technology Officer
                           (CTO), and BSA IT Mod Program Manager to obtain an update
                           on BSA IT Mod, cost and schedule concerns, project testing
                           conducted and defect resolution, strategies employed, and
                           overall progress of the program.

                       •   The project managers, project leaders, and contracting officer’s
                           representatives to obtain an understanding of their perspective,
                           level of involvement, schedule and performance concerns, and
                           overall progress of their respective projects.

                       •   The contracting officer’s representative for the 2013 FinCEN
                           Portal and FinCEN Query Performance Measure Survey to gain
                           an understanding of the results, scope, and methodology used
                           for the survey.




25
     House Report (H. Rept.) 112-331.
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External to FinCEN, we interviewed the following officials:

•   Deloitte LLP’s Managing Director and Deloitte’s Program
    Manager for BSA IT Mod to obtain an update on their
    perspective of BSA IT Mod and ascertain the program’s status.
    These interviews were conducted at the contractor’s office in
    Rosslyn, Virginia.

•   MITRE Corporation (MITRE) representatives to obtain an update
    of MITRE’s role as the federally funded research and
    development contractor, its level of involvement with the
    program, as well as issues, concerns, and other significant
    matters observed. These interviews were conducted at MITRE’s
    office in McLean, Virginia.

•   The Treasury OCIO’s Director of IT Capital Planning for an
    update on OCIO’s role in overseeing BSA IT Mod, as well as
    issues, concerns, and other significant matters.

•   CFI Group Program Director to obtain additional information on
    the 2013 FinCEN Portal and FinCEN Query Performance
    Measure Survey to gain an understanding of the results, scope,
    and methodology used for the survey.

We reviewed FinCEN program-related information, including:
management reports; minutes from executive, management, and
technical meetings; planning documentation; program and project
level documentation; and FinCEN presentations to internal and
external oversight groups (e.g., Congress, Office of Management
and Budget, Treasury OCIO, BSA IT Mod Modernization Executive
Group and Executive Steering Committee, and FinCEN
management).

We reviewed the final report and the raw data for a FinCEN-
commissioned 2013 FinCEN Portal and FinCEN Query Performance
Measure Survey. We reviewed the raw data to provide a
reasonable assurance of the validity of results reported by the
vendor. We also reviewed the narrative responses to the survey’s
open-ended questions to assess the user’s satisfaction with the
BSA IT Mod and any potential performance issues with the
program. We paid particular attention to the survey responses from
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                         various Department of Justice (DOJ) component agencies as our
                         attempt to obtain their feedback during our previous audit could
                         not be coordinated. 26

                         To substantiate that performance testing had occurred on BSA IT
                         Mod, we interviewed FinCEN officials involved with BSA IT Mod
                         government acceptance testing and reviewed testing-related
                         documentation, including testing plans and status reports. We
                         determined that any testing defects and issues identified during
                         testing were recorded in FinCEN’s project management and issues
                         tracking system.

                         We conducted this performance audit in accordance with generally
                         accepted government auditing standards. Those standards require
                         that we plan and perform the audit to obtain sufficient, appropriate
                         evidence to provide a reasonable basis for our findings and
                         conclusions based on our audit objectives. We believe that the
                         evidence obtained provides a reasonable basis for our findings and
                         conclusions based on our audit objectives.




26
     In our previous audit, we attempted to obtain DOJ feedback from BSA IT Mod users within its
     various components agencies; however, user interviews could not be coordinated in time for the
     audit. In this audit, we determined that the DOJ comprised 19 percent of the survey respondents,
     which we believe captured the DOJ BSA IT Mod users’ experiences and opinions with BSA IT Mod;
     accordingly, we did not interview DOJ users as part of this audit. We plan to contact DOJ users to
     obtain their feedback as part of our next audit of BSA IT Mod.
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                             FinCEN’s efforts to establish a system to manage and house
                             BSA data has been an extensive process. Planning of the
                             BSA IT Mod program began after an earlier attempt to
                             establish a similar program failed. 27 Figure 1 provides a
                             timeline of significant events in the BSA IT Mod program.

 Figure 1. Timeline of Significant Events in FinCEN’s BSA System Modernization Efforts

                                                                                                             April 2014
                         January 2007 –
                                                                                  January 2012                 Planned
                        December 2009
      July 2006                                          May 2010           FinCEN transitioned the         milestone and
                      FinCEN developed IT
        FinCEN                                           Design and          collection, processing,           system
                      governance process,
      terminated                                        development         and storage of all BSA          development
                      stakeholders’ needs,
      BSA Direct                                        phase started             data from IRS              completion
                       and business case


 2006          2007           2008        2009          2010         2011          2012          2013        2014


        November 2006                 January 2009             June 2011         November 2012           March 2013
     FinCEN established IT                Program                FinCEN              FinCEN             FinCEN adjusts
     modernization, vision             initiation and           realigned         completed roll        schedule of the
      and strategy and set            planning phase            costs and         out of FinCEN              Broker
         modernization                of BSA IT Mod              adjusts         Query to 7,500           Information
           foundation                      started              schedule              users                Exchange
                                                                                                             Project

 Source: OIG review of FinCEN data.



                             Projects Included

                             BSA IT Mod is made up of multiple projects with specific
                             components. The projects are summarized below. All
                             projects except for the Broker Information Exchange were
                             completed as of December 31, 2013.



27
     FinCEN terminated BSA Direct Retrieval and Sharing after concluding the project had no
     guarantee of success. We reviewed that failure and found that FinCEN poorly managed the
     predecessor project, insufficiently defined functional and user requirements, misjudged
     project complexity, and established an unrealistic completion date. We also found that the
     Treasury OCIO did not actively oversee the project, as required by the Clinger-Cohen Act of
     1996. Treasury Office of Inspector General (OIG), The Failed and Costly BSA Direct R&S
     System Development Effort Provides Important Lessons for FinCEN’s BSA Modernization
     Program (OIG-11-057: Jan. 5, 2011).
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•   System of Record (SOR) provides data storage and
    architecture for BSA data for 11 years of BSA data.

•   Shared Filing Services provides for validation of BSA data
    with external data sources, such as validation of
    addresses to U.S. Postal Service data.

•   Third Party Data provides the SOR additional BSA data
    through external data sources such as the financial
    institution identification number assigned by the Federal
    Reserve.

•   Bulk Data Dissemination is used for the distribution of
    large quantities of BSA data to external users.

•   Data Conversion converted 11 years of BSA data from an
    Internal Revenue Service legacy system to the FinCEN’s
    new SOR.

•   BSA E-Filing is used by BSA filers to submit all required
    electronic filing of BSA forms to FinCEN.

•   FinCEN Query is a tool designed to improve authorized
    users’ ability to access and analyze BSA data. The tool is
    used by FinCEN internal users and by registered external
    users and customers to retrieve and analyze BSA data.
    The tool supports traditional structured BSA data queries,
    and provides narrative search capabilities and options to
    coordinate and collaborate with users on queries
    performed.

•   Advanced Analytics provides complex search and
    retrieval functionality for FinCEN internal users to support
    their analytical, law enforcement, and regulatory
    activities. The tool provides advanced analytical
    capabilities such as geospatial, statistical analysis, social
    networking, semantic interchange, and visualization
    capabilities.

•   Register User Portal/Identity Management/Access Control
    Management provides the means for common user
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                            interface and authentication process through which both
                            internal and external authorized users gain access to all
                            future BSA IT Mod applications.

                        •   Infrastructure provides the design, development,
                            procurement, and implementation of the development and
                            test environments, storage area network(s), and disaster
                            recovery capabilities required to support BSA IT Mod
                            projects.

                        •   Broker Information Exchange provides the Financial
                            Intelligence Repository, which includes 314A and 314B
                            components. The Financial Intelligence Repository project
                            is to replace FinCEN’s case management systems—FinDB
                            for investigative cases, and the Customer Management
                            System for compliance cases. The first release of the
                            Financial Intelligence Repository project is to create the
                            Financial Intelligence Repository and incorporates
                            SharePoint (a Microsoft software application for sharing
                            information) as a mechanism to share case information
                            for both internal and external users. The 314A
                            component allows law enforcement agencies to submit
                            requests through FinCEN to financial institutions for
                            information about financial accounts and transactions of
                            persons or businesses that may be involved in terrorism
                            or money laundering. The 314B component allows
                            financial institutions to share information with one
                            another through FinCEN to identify and report suspicious
                            money laundering or terrorist activities to the federal
                            government. 314A and 314B refer to Section 314 of the
                            USA Patriot Act that requires FinCEN of establish these
                            functionalities. 28 The project is ongoing as of December
                            2013.

                        •   Alerts provides for an automatic alert to be sent to
                            FinCEN analysts about suspicious activities reported by
                            filers based on pre-defined criteria.



28
     Section 314 of the USA Patriot Act is established under 31 U.S.C. § 5311.
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                         Contractors Engaged by FinCEN

                         In March 2008, FinCEN awarded a 5-year indefinite delivery,
                         indefinite quantity (IDIQ) contract to BearingPoint, Inc., to
                         support a full range of information technology services,
                         custom applications, maintenance support, and infrastructure
                         support necessary to implement the FinCEN IT operational
                         objectives. Numerous task orders have been issued against
                         the contract including those for the BSA IT Mod program. 29
                         The contract was subsequently transferred to Deloitte
                         Consulting, LLP (Deloitte). 30 The contract ceiling is a
                         maximum of $144 million and a minimum of $1 million over
                         the contract’s 5-year life. FinCEN also contracted with
                         MITRE Corporation (MITRE) at a cost of approximately $2.1
                         million to provide management guidance, coordination, and
                         evaluation support for BSA IT Mod. 31 MITRE is a subject
                         matter expert on program and project management, and BSA
                         IT Mod business capabilities.

                         FinCEN is using the Treasury’s Bureau of the Fiscal Service
                         Administrative Resource Center for new contracting services
                         related to BSA IT Mod. FinCEN had previously used the
                         Acquisitions Services Directorate of the U.S. Department of


29
     An IDIQ contract provides for an indefinite quantity of services during a fixed period of time.
     This type of contract is used when it cannot be predetermined, above a specified minimum,
     the precise quantities of supplies or services that the government will require during the
     contract period. IDIQ contracts are most often used for service contracts and architect-
     engineering services. An IDIQ contract is flexible, especially when not all the requirements
     are known at the start of a contract and is conducive to a modular approach, which would be
     one with phases or milestones.
30
     The IDIQ contract was transferred from BearingPoint, Inc. to Deloitte on October 1, 2009
     after Deloitte purchased substantially all of the assets of Bearing Point, Inc., Public Service
     Division.
31
     MITRE is a not-for-profit organization chartered to work in the public interest with expertise
     in systems engineering, information technology, operational concepts, and enterprise
     modernization. Among other things, it manages federally funded research and development
     centers, including one for IRS and U.S. Department of Veterans Affairs (the Center for
     Enterprise Modernization). Under Treasury’s existing contract with MITRE, Treasury and its
     bureaus, with permission of the IRS sponsor, may contract for support, and to facilitate the
     modernization of systems and their business and technical operation, the following task
     areas: strategic management, technical management, program and project management,
     procurement, and evaluation and audit.
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the Interior as the contract office to administer the contract.
FinCEN chose this office because of its prior experience
handling large, complex procurements.

FinCEN officials told us that Deloitte’s 5-year IDIQ contract
ended in March 2013; however, the Acquisitions Services
Directorate allowed a 6-month extension to September 2013
and allowed FinCEN to extend various task orders under the
IDIQ contract. As of December 31, 2013, FinCEN officials
stated that Deloitte still had one task order in place to
complete development of the Broker Information Exchange,
which had been extended until the end of April 2014.

During this audit period, FinCEN awarded new BSA IT Mod
contracts using the Administrative Resource Center as the
contracting agency.

•   In August 2013, a new contract for BSA IT Mod network
    support was awarded to NavStar, as a 2.5-year firm fixed
    contract. The contract awards $2.064 million in the six
    month base year and has a contract ceiling of $9.3
    million. Deloitte’s task order under its IDIQ contract for
    network support ended at the end of September 2013.

•   In September 2013, a new contract for BSA IT Mod
    program management support was awarded to Total
    Systems Technologies Corporation, as a 3-year, firm
    fixed price contract. The contract award was for
    $750,761 in the base year with a total contract ceiling of
    $2.279 million. Deloitte continued its support program
    management during the transition until the expiration of
    Deloitte’s contract at the end of December.

•   In November 2013, a new contract for operations and
    maintenance was awarded to Northrup Grumman. It is a
    6-month contract with three 1-year extensions with a
    total value of $22,823,940.
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                    As of December 31, 2013, all BSA IT Mod component projects are
                    completed except for the second phase of Release 2 of the Broker
                    Information Exchange project. Table 1 displays the status of BSA
                    IT Mod by project.

Table 1. BSA IT Mod Project Schedule Status as of December 31, 2013
                                                                          Actual or
                                                                          Planned
                                 Planned             Revised Planned      Completion        Project
                                 Completion          Completion           Date at           Status at
                                 Date at May         Date at June         December          December
Project                          20101               20112                20133             2013
SOR
      Release 1                  9/30/2011           12/1/2011            12/15/2011        Complete
      Release 2                  6/30/2012           7/1/2012             10/16/2012        Complete
Shared Filing Services
      Release 1                  9/30/2011           12/1/2011            12/15/2011        Complete
      Release 2                  6/30/2012           7/1/2012             10/16/2012        Complete
Third Party Data
      Release 1                  9/30/2011           12/1/2011            12/15/2011        Complete
      Release 2                  6/30/2012           7/1/2012             10/16/2012        Complete
Data Conversion                  12/31/2011          1/1/2012             1/6/2012          Complete
E-Filing
      Release 1                  6/30/2011           7/1/2011             7/1/2011          Complete
      Release 2                  10/31/2011          7/1/2012             7/31/2012         Complete
FinCEN Query
      Release 1                  2/28/2012           6/1/2012             7/20/2012         Complete
      Release 2                  9/30/2012           10/1/2012            11/16/2012        Complete
Advanced Analytics
      Release 1                  10/31/2010          10/31/2010           10/31/2010        Complete
      Release 2                  4/30/2011           4/30/2011            4/30/2011         Complete
      Release 3                  7/31/2012           9/1/2012             8/1/2012          Complete
      SCIF4                      n/a                 12/1/2012            11/9/2012         Complete
Register User Portal             3/31/2011           3/31/2011            3/31/2011         Complete
Identity/Access
Control Management               3/31/2011           3/31/2011            3/31/2011         Complete
Broker Information Exchange
     314A,B Release 1            5/31/2011           5/31/2011           5/31/2011          Complete
     314A,B Release 2 Phase 1    12/31/2012          4/1/2013            9/20/20135         Complete
     314A,B Release 2 Phase 26   n/a                 n/a                 4/1/20145          Ongoing
Alerts                           9/30/2012           1/1/2013            1/4/2013           Complete
Bulk Data Dissemination
      Release 1                  9/30/2011           3/1/2012            4/17/2012          Complete
      Release 2                  6/30/2012           7/1/2012            10/16/2012         Complete
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Table 1. BSA IT Mod Project Schedule Status as of December 31, 2013
                                                                               Actual or
                                                                               Planned
                                    Planned               Revised Planned      Completion        Project
                                    Completion            Completion           Date at           Status at
                                    Date at May           Date at June         December          December
Project                             20101                 20112                20133             2013
Infrastructure & Portal Security
Develop and Test                    9/30/2010            9/30/2010            9/30/2010          Complete
     Release 1                      3/31/2011            3/31/2011            3/31/2011          Complete
     Release 2                      9/30/2011            9/30/2011            9/30/2011          Complete
     Release 3                      6/30/2012            n/a7                 n/a7               n/a7
Source: OIG analysis of FinCEN documentation.
1
  The dates displayed were the initial planned completion dates when in May 2010, FinCEN began the design
  and development of projects after receiving Office of Management and Budget approval.
2
  FinCEN submitted a baseline change request to the Treasury CIO to adjust selected project milestone
  schedule dates and realign costs to keep the overall program on track. The baseline change was implemented
  in June 2011.
3
  Dates represent the actual completion dates if the project was completed, or the planned completion date as
  of the cutoff date of our review (December 31, 2013).
4
  A sensitive compartmented information facility (SCIF) has formal access controls and is used to hold
  information concerning or derived from intelligence sources, methods, or analytical processes. FinCEN plans
  to provide its SCIF with advanced analytics capability, which was not part of the May 2010 initial plan but
  was part of the June 2011 baseline change request.
5
  A baseline change was implemented in March 2013 which adjusted the schedule completion dates.
6
  Initially, Release 2 of the project was planned as one phase.
7
  Not applicable - The work planned for Infrastructure release 3 was removed from the project and will be
  done as part of BSA IT Mod’s on-going operations and maintenance.
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